Threat Research

Cyble – The Growing Threat Of ChatGPT-Based Phishing Attacks

Securonix

Threat actors are weaponizing ChatGPT’s popularity to spread malware and phishing campaigns across Windows and Android, using fraudulent pages and typosquatted domains to lure victims into downloading malicious payloads. The campaigns distribute stealer malware such as Lumma Stealer, Aurora Stealer, and Clipper, plus fake ChatGPT payment pages and numerous Android apps masquerading as ChatGPT. #LummaStealer #AuroraStealer #Clipper #Spynote #SMSFraud #ChatGPTPhishing #OpenAI #ChatGPT

Keypoints

  • CRIL identified an unofficial ChatGPT social media page promoting links to phishing pages that download malware.
  • Phishing typosquatted domains imitate ChatGPT/OpenAI and redirect users to counterfeit sites that offer a “DOWNLOAD FOR WINDOWS” button.
  • Phishing pages host multiple malware families (Lumma Stealer, Aurora Stealer, Clipper) and deliver a fake OpenAI/ChatGPT site to harvest data and payments.
  • Android malware impersonating ChatGPT (over 50 fake apps) uses dangerous manifest permissions to steal data and perform billing fraud via SMS.
  • A Spynote variant masquerades as ChatGPT, seeking extensive data (call logs, contacts, SMS, media) from infected devices.
  • Recommendations emphasize avoiding unknown downloads, using security software, verifying links, and enabling controls like DLP and MFA.

MITRE Techniques

  • [T1566.001] Phishing: Spearphishing Link – Phishing links on unofficial pages lead users to typosquatted domains masquerading as the official ChatGPT site. Quote: “The below image depicts one of the posts… a link that leads to a typosquatted domain, masquerading as the official website of ChatGPT.”
  • [T1036] Masquerading – Malware uses the name and icon of ChatGPT to appear legitimate. Quote: “The malware uses the name and icon of ChatGPT but has no AI functionality.”
  • [T1204.002] User Execution: Malicious File – A counterfeit OpenAI site presents a “DOWNLOAD FOR WINDOWS” button that downloads potentially harmful executables. Quote: “presents users with a ‘DOWNLOAD FOR WINDOWS’ button, which, when clicked, downloads potentially harmful executable files.”
  • [T1005] Data from Local System – After execution, the stealer collects sensitive data on the victim’s device. Quote: “it can collect sensitive data without the victim’s knowledge.”
  • [T1566.003] Phishing: Spearphishing via Service – Phishing pages also deliver credential and payment-collection content through fake OpenAI/ChatGPT services (credit card theft context). Quote: “phishing sites were also distributing several notorious malware families… for phishing attacks.”
  • [T1489] Drive-by Compromise – Implicit in the scene where users are redirected to phishing pages that automatically prompt downloads when accessed. Quote: “links that lead users to phishing pages…”
  • [T1402] Data from Information Repositories (Android): Data theft via mobile apps masquerading as ChatGPT (Spynote) – The Spynote variant steals call logs, contacts, SMSs, media, etc. Quote: “steals sensitive data such as call logs, contacts, SMSs, media files, and other data from an infected device.”

Indicators of Compromise

  • [File Hash] 4e8d09ca0543a48f649fce72483777f0, cebddeb999f4809cf7fd7186e20dc0cc8b88689d
  • [File Hash] d1b1813f7975b7117931477571a2476decff41f124b84cc7a2074dd00b5eba7c
  • [Domain] openai-pc-pro.online (Fake ChatGPT Website)
  • [Domain] chat-gpt-pc.online (Fake ChatGPT Website)
  • [Domain] chatgpt-go.online (Fake ChatGPT Website)
  • [URL] hxxp://chatgpt-go.online/clip[.]exe (Clipper)
  • [URL] hxxp://chatgpt-go.online/java[.]exe (Aurora)
  • [URL] hxxps://rebrand[.]ly/qaltfnuChatGPTOpenAI (Stealer)
  • [File] Installer_3.64_win64_86-setup+manual.zip (Archive)
  • [File] Installer_3.64_win64_86.exe (Lumma Stealer)
  • [File] ChatGPT-OpenAI-Pro-Full-134676745403.exe (Stealer)

Read more: https://blog.cyble.com/2023/02/22/the-growing-threat-of-chatgpt-based-phishing-attacks/